Home | Contact Us | FAQ | Search & Site Map | Link to Us
Sign In | Join | Other 45 Sites in Network
Home
Discussion GroupsWindows Server 2003Windows 2000Windows NTSmall Business ServerVirtual ServerExchange ServerIISHost Integration ServerISA ServerSMSWSUSMOMWindows Media ServerSecurityCertification
Related Topics
SQL ServerMS WindowsMS OfficePC HardwareMore Topics ...
Windows Server Forum / Windows Server 2003 / Security / June 2005

Tip: Looking for answers? Try searching our database.

File Access Auditing on Exchange 2003 Server

Thread view: 
Enable EMail Alerts  Start New Thread
Thread rating: 
Jimmy - 28 Jun 2005 12:01 GMT
Our company has an Exchange 2003 SP1 server runs on Windows 2003 Std. It will
update to SP1 in a few weeks. The server also does file sharing for all our
40+ users.

We want to enable auditing to keep track of read/write activities on the
file shares. I did attempt turn on Success/Failure of Object Access in Local
Security Policy. I didn't turn on auditing on any File System yet. Then I
discovered a lot of Exchange object access (ID 562) were tracked in security
log. Size increase is more than 6MB for merely an hour. That makes auditing
impractical to implement.

Did I do anything wrong on the setup or this is a necessary evil of auditing
on E2K3?

Jimmy
Reply to this Message
Steven L Umbach - 28 Jun 2005 15:26 GMT
Auditing of object access can make a huge amount of entries in the security
log even when you have not enabled auditing on any folders yet. One thing to
check is that in Local Security Policy [secpol.msc], or whatever appropriate
security policy, that the security option for audit:audit the access of
global system objects is disabled. I can tell you right now that keeping
track of read activities will generate a huge amount of events. When you do
audit a folder it is best to audit absolute minimum number of permissions
for absolute minimum number of users/groups and avoid auditing for everyone,
users, authenticated user groups but instead use a global/local group of
just the users you want to track. The free MS too Event Comb can help in
tracking object access events and it can search by text string such as for
filename or user name. The link below may help.   --- Steve

http://www.microsoft.com/technet/security/topics/auditingandmonitoring/securitym
onitoring/default.mspx

> Our company has an Exchange 2003 SP1 server runs on Windows 2003 Std. It
> will
[quoted text clipped - 17 lines]
>
> Jimmy
Reply to this Message
Jimmy - 29 Jun 2005 12:05 GMT
Checked that "audit the access of global system objects" is disabled.

Jimmy

> Auditing of object access can make a huge amount of entries in the security
> log even when you have not enabled auditing on any folders yet. One thing to
[quoted text clipped - 32 lines]
> >
> > Jimmy
Reply to this Message
 
Sign In
Join
My Latest Posts
My Monitored Threads
My Blog
My Photo Gallery
My Profile
My Homepage
Start New Thread
Enable EMail Alerts
Rate this Thread



©2010 Advenet LLC   Privacy Policy - Terms of Use
This website includes both content owned or controlled by Advenet as well as content owned or controlled by third parties.